diff --git a/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md b/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md index fa62602be..e958ea8c3 100644 --- a/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md +++ b/daprdocs/content/en/operations/hosting/kubernetes/kubernetes-production.md @@ -236,6 +236,12 @@ The injector watchdog is disabled by default when running Dapr in Kubernetes mod Refer to the documentation for the [Dapr operator]({{< ref operator >}}) service for more details on the injector watchdog and how to enable it. +## Configuring seccompProfile for sidecar containers + +By default, the Dapr sidecar Injector injects a sidecar without any `seccompProfile`. However, to have Dapr sidecar container run successfully in a namespace with [Restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) profile, the sidecar container needs to have `securityContext.seccompProfile.Type` to not be `nil`. + +Refer to [this]({{< ref "arguments-annotations-overview.md" >}}) documentation to set appropriate `seccompProfile` on sidecar container according to which profile it is running with. + ## Best Practices Watch this video for a deep dive into the best practices for running Dapr in production with Kubernetes diff --git a/daprdocs/content/en/reference/arguments-annotations-overview.md b/daprdocs/content/en/reference/arguments-annotations-overview.md index 5af0a4ed4..d1553e67e 100644 --- a/daprdocs/content/en/reference/arguments-annotations-overview.md +++ b/daprdocs/content/en/reference/arguments-annotations-overview.md @@ -66,3 +66,4 @@ This table is meant to help users understand the equivalent options for running | not supported | not supported | | `dapr.io/volume-mounts` | List of pod volumes to be mounted to the sidecar container in read-only mode. Strings consisting of `volume:path` pairs separated by a comma. Example, `"volume-1:/tmp/mount1,volume-2:/home/root/mount2"`. | | not supported | not supported | | `dapr.io/volume-mounts-rw` | List of pod volumes to be mounted to the sidecar container in read-write mode. Strings consisting of `volume:path` pairs separated by a comma. Example, `"volume-1:/tmp/mount1,volume-2:/home/root/mount2"`. | | `--disable-builtin-k8s-secret-store` | not supported | | `dapr.io/disable-builtin-k8s-secret-store` | Disables BuiltIn Kubernetes secret store. Default value is false. See [Kubernetes secret store component]({{}}) for details. | +| not supported | not supported | | `dapr.io/sidecar-seccomp-profile-type` | Set the sidecar container's `securityContext.seccompProfile.type` to `Unconfined`, `RuntimeDefault`, or `Localhost`. By default, this annotation is not set on the Dapr sidecar, hence the field is omitted from sidecar container. |